Topic
  • 4 replies
  • Latest Post - ‏2012-11-28T00:21:13Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts

Pinned topic Redirect IHS to Tomcat

‏2012-11-26T05:27:54Z |
At the moment we have an App that gets authenticated through webseal. ie We get connected via Webseal->IHS->Web App sitting on Websphere Server.
Because of WebApp support issues, i am migrating the WebApp onto Tomcat Server. ue I will be having Webseal->IHS->Web App sitting on Tomcat Server. Tomcat and IHS are in the same machine.

While connecting from IHS to Tomcat, I am getting following errors.
"SL0234W: SSL Handshake Failed, The certificate sent by the peer has expired or is invalid. at 16:06:11.000461596"
Certificate validation error during handshake, last PKIX/RFC3280 certificate validation error was GSKVAL_ERROR_NO_CHAIN_BUILT at 16:06:11.000461596

In IHS httpd.conf i added the configuration as below
<VirtualHost cwktstk1:11210>
ServerName cwktstk1
DocumentRoot "E:\htdocs\test"
Options Indexes
LogFormat "%h %l %u %t \"%r\" %>s %b %v"
ErrorLog "|E:/IBMHTTPServer/bin/rotatelogs.exe E:/logs/ihs/cwk/error.log.%m.%d.%y 86400"
CustomLog "|E:/IBMHTTPServer/bin/rotatelogs.exe E:/logs/ihs/cwk/access.log.%m.%d.%y 86400" common
SSLEnable
SSLClientAuth 2
SSLClientAuthRequire ( CommonName = "x.x.x.com" || CommonName = "Automation Solutions" || CommonName = "y.y.y.com" || CommonName = "z.z.z.net" || CommonName = "T-INT-WEBSEAL-MASSL")
Keyfile "e:\WebSphere\AppServer\profiles\cwktstk1\etc\ihs\ihs_g7_key.kdb"
SSLStashfile "e:\WebSphere\AppServer\profiles\cwktstk1\etc\ihs\ihs_g7_key.sth"
SSLV2Timeout 100
SSLV3Timeout 1000
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass / https://localhost:11211/
ProxyPassReverse / https://localhost:11211/
SSLProxyEngine on
</VirtualHost>

In Tomcat i have added the following configuration. I am using locally created keystore for this.
<Connector port="11211" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
URIEncoding="UTF-8"
/>

What do i need to do to get rid of the above error?
Any one has done such setup. Please help.
Updated on 2012-11-28T00:21:13Z at 2012-11-28T00:21:13Z by SystemAdmin
  • Sunit
    Sunit
    199 Posts

    Re: Redirect IHS to Tomcat

    ‏2012-11-26T17:21:55Z  
    IHS is connecting to the Tomcat server using HTTPS (SSL) protocol. Tomcat is presenting a self-signed certificate which is neither signed by a trusted CA nor in the Trusted certificates repository used by IHS.

    Export the public key of the Tomcat certificate and import it into your kdb.

    • Sunit
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: Redirect IHS to Tomcat

    ‏2012-11-27T00:45:05Z  
    • Sunit
    • ‏2012-11-26T17:21:55Z
    IHS is connecting to the Tomcat server using HTTPS (SSL) protocol. Tomcat is presenting a self-signed certificate which is neither signed by a trusted CA nor in the Trusted certificates repository used by IHS.

    Export the public key of the Tomcat certificate and import it into your kdb.

    • Sunit
    Thanks Sunit.
    I exported public key, but due to structure of works done, it will be taking time to import the public key into kdb.
    Is there any way to connect just using http instead of HTTPS?

    I mean, if it is possible, I want to redirect in the below format.
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    To do that what will be the ideal VirtualHost configuration? instead of the below configuration(I am newbie in setting VirtualHost config, appreciate your help).
    <VirtualHost cwktstk1:11210>
    ServerName cwktstk1
    DocumentRoot "E:\htdocs\test"
    Options Indexes
    LogFormat "%h %l %u %t \"%r\" %>s %b %v"
    ErrorLog "|E:/IBMHTTPServer/bin/rotatelogs.exe E:/logs/ihs/cwk/error.log.%m.%d.%y 86400"
    CustomLog "|E:/IBMHTTPServer/bin/rotatelogs.exe E:/logs/ihs/cwk/access.log.%m.%d.%y 86400" common
    SSLEnable
    SSLClientAuth 2
    SSLClientAuthRequire ( CommonName = "x.x.x.com" || CommonName = "Automation Solutions" || CommonName = "y.y.y.com" || CommonName = "z.z.z.net" || CommonName = "T-INT-WEBSEAL-MASSL")
    Keyfile "e:\WebSphere\AppServer\profiles\cwktstk1\etc\ihs\ihs_g7_key.kdb"
    SSLStashfile "e:\WebSphere\AppServer\profiles\cwktstk1\etc\ihs\ihs_g7_key.sth"
    SSLV2Timeout 100
    SSLV3Timeout 1000
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    SSLProxyEngine on
    </VirtualHost>

    At the end i need to have Tomcat <-> IHS non-ssl, as they are in the same machine.
  • Sunit
    Sunit
    199 Posts

    Re: Redirect IHS to Tomcat

    ‏2012-11-27T16:46:31Z  
    Thanks Sunit.
    I exported public key, but due to structure of works done, it will be taking time to import the public key into kdb.
    Is there any way to connect just using http instead of HTTPS?

    I mean, if it is possible, I want to redirect in the below format.
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    To do that what will be the ideal VirtualHost configuration? instead of the below configuration(I am newbie in setting VirtualHost config, appreciate your help).
    <VirtualHost cwktstk1:11210>
    ServerName cwktstk1
    DocumentRoot "E:\htdocs\test"
    Options Indexes
    LogFormat "%h %l %u %t \"%r\" %>s %b %v"
    ErrorLog "|E:/IBMHTTPServer/bin/rotatelogs.exe E:/logs/ihs/cwk/error.log.%m.%d.%y 86400"
    CustomLog "|E:/IBMHTTPServer/bin/rotatelogs.exe E:/logs/ihs/cwk/access.log.%m.%d.%y 86400" common
    SSLEnable
    SSLClientAuth 2
    SSLClientAuthRequire ( CommonName = "x.x.x.com" || CommonName = "Automation Solutions" || CommonName = "y.y.y.com" || CommonName = "z.z.z.net" || CommonName = "T-INT-WEBSEAL-MASSL")
    Keyfile "e:\WebSphere\AppServer\profiles\cwktstk1\etc\ihs\ihs_g7_key.kdb"
    SSLStashfile "e:\WebSphere\AppServer\profiles\cwktstk1\etc\ihs\ihs_g7_key.sth"
    SSLV2Timeout 100
    SSLV3Timeout 1000
    ProxyRequests Off
    ProxyPreserveHost On
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    SSLProxyEngine on
    </VirtualHost>

    At the end i need to have Tomcat <-> IHS non-ssl, as they are in the same machine.
    The following is a pure guess on my part.

    Change these directives:
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    SSLProxyEngine on

    Change to non-SSL port for Tomcat
    Remove SSLProxyEngine

    • Sunit
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: Redirect IHS to Tomcat

    ‏2012-11-28T00:21:13Z  
    • Sunit
    • ‏2012-11-27T16:46:31Z
    The following is a pure guess on my part.

    Change these directives:
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    SSLProxyEngine on

    Change to non-SSL port for Tomcat
    Remove SSLProxyEngine

    • Sunit
    Thanks Sunit, that works.